From: "Ravi Kumar Siddojigari" <rsiddoji@codeaurora.org>
To: <selinux@vger.kernel.org>
Subject: [PATCH] selinux: move pkey sid cache based retrieval under defconfig
Date: Mon, 16 Dec 2019 15:38:16 +0530 [thread overview]
Message-ID: <001501d5b3f8$bdc5b610$39512230$@codeaurora.org> (raw)
Hi Team,
We see an increase in the memory consumption from 4.9 ->4.19 kernel which is
impacting the low_ram device .
So thought of enabling only that are really needed for the such device
where performance might not be of priority list .
One such patch is on the pkey sid cache which was added with commit :"
409dcf31"
which can be moved under defconfig where enabled by default and only
disabled for low_ram targets.
Which is going to save ram/reduce slub usage .
--
From 1719256bbb8fe3e239be0928386a50b7b41752e8 Mon Sep 17 00:00:00 2001
From: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
Date: Wed, 11 Dec 2019 19:57:24 +0530
Subject: [PATCH] selinux: move pkey sid cache based retrieval under
defconfig
.
adding new key CONFIG_FASTER_RETRIEVAL_PKEY_SID which is used to enable
cache based pkey sid retrieval code added with Commit 409dcf31.
As this is going to alloc a new cache for this booster which may impact
low ram devices . By default its enabled for low_ram targets
they can disable this feature.
Change-Id: I80a13fb7bce8723c8c880cb77cbaee42db413a7a
Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
---
security/selinux/Kconfig | 10 ++++++++++
security/selinux/Makefile | 4 +++-
security/selinux/hooks.c | 10 ++++++++++
security/selinux/include/objsec.h | 2 ++
4 files changed, 25 insertions(+), 4 deletions(-)
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 8af7a69..7bcc015 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -99,3 +99,13 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
via /selinux/checkreqprot if authorized by policy.
If you are unsure how to answer this question, answer 0.
+
+config FASTER_RETRIEVAL_PKEY_SID
+ bool "quicker retrieval of PKey SIDs"
+ depends on SECURITY_SELINUX
+ default y
+ help
+ This option enables cache for quicker retrieval of PKey SIDs
+ by storing the Pkey SIDs to cache.
+ Better performance but penalty on memory (RAM ).
+ for low ram devices better to say n.
diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index c7161f8..192f4ba 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -6,12 +6,14 @@
obj-$(CONFIG_SECURITY_SELINUX) := selinux.o
selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \
- netnode.o netport.o ibpkey.o exports.o \
+ netnode.o netport.o exports.o \
ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \
ss/policydb.o ss/services.o ss/conditional.o ss/mls.o
ss/status.o
selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
+selinux-$(CONFIG_FASTER_RETRIEVAL_PKEY_SID) += ibpkey.o
+
selinux-$(CONFIG_NETLABEL) += netlabel.o
ccflags-y := -I$(srctree)/security/selinux
-I$(srctree)/security/selinux/include
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index af030ff..60c4212 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -92,7 +92,11 @@
#include "netif.h"
#include "netnode.h"
#include "netport.h"
+
+#ifdef CONFIG_FASTER_RETRIEVAL_PKEY_SID
#include "ibpkey.h"
+#endif
+
#include "xfrm.h"
#include "netlabel.h"
#include "audit.h"
@@ -177,7 +181,9 @@ static int selinux_netcache_avc_callback(u32 event)
static int selinux_lsm_notifier_avc_callback(u32 event)
{
if (event == AVC_CALLBACK_RESET) {
+#ifdef CONFIG_FASTER_RETRIEVAL_PKEY_SID
sel_ib_pkey_flush();
+#endif
call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
}
@@ -6246,7 +6252,11 @@ static int selinux_ib_pkey_access(void *ib_sec, u64
subnet_prefix, u16 pkey_val)
struct ib_security_struct *sec = ib_sec;
struct lsm_ibpkey_audit ibpkey;
+#ifdef CONFIG_FASTER_RETRIEVAL_PKEY_SID
err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
+#else
+ err = security_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
+#endif
if (err)
return err;
diff --git a/security/selinux/include/objsec.h
b/security/selinux/include/objsec.h
index 9cec304..5608978 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -147,11 +147,13 @@ struct ib_security_struct {
u32 sid; /* SID of the queue pair or MAD agent */
};
+#ifdef CONFIG_FASTER_RETRIEVAL_PKEY_SID
struct pkey_security_struct {
u64 subnet_prefix; /* Port subnet prefix */
u16 pkey; /* PKey number */
u32 sid; /* SID of pkey */
};
+#endif
struct bpf_security_struct {
u32 sid; /*SID of bpf obj creater*/
--
1.9.1
Regards,
Ravi
next reply other threads:[~2019-12-16 10:13 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-16 10:08 Ravi Kumar Siddojigari [this message]
2019-12-16 14:25 ` [PATCH] selinux: move pkey sid cache based retrieval under defconfig Paul Moore
2019-12-17 15:11 ` Ravi Kumar Siddojigari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='001501d5b3f8$bdc5b610$39512230$@codeaurora.org' \
--to=rsiddoji@codeaurora.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.